diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-08-07 19:39:10 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-09-09 09:56:50 -0400 |
commit | d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba (patch) | |
tree | b1942e332d668f56f48984f65318d385c75c0f4d | |
parent | d47f7dba3779c9e36e1dedaac830dac1dd248fb3 (diff) | |
download | krb5-d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba.zip krb5-d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba.tar.gz krb5-d975dd1eae7b22b14ce7aa6eefb523e9b3c022ba.tar.bz2 |
Add API to get client account name from PAC
Add a krb5_pac_get_client_info() API to interpret the PAC_CLIENT_INFO
buffer of a PAC. This API is needed by KDB plugin modules to set the
reply client for cross-realm RBCD requests.
[ghudson@mit.edu: added doxygen comment; clarified commit message]
ticket: 8828 (new)
-rw-r--r-- | doc/appdev/refs/api/index.rst | 1 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 22 | ||||
-rw-r--r-- | src/lib/krb5/krb/pac.c | 42 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 | ||||
-rw-r--r-- | src/lib/krb5_32.def | 1 |
5 files changed, 59 insertions, 8 deletions
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst index 70efc3e..727d9b4 100644 --- a/doc/appdev/refs/api/index.rst +++ b/doc/appdev/refs/api/index.rst @@ -253,6 +253,7 @@ Rarely used public interfaces krb5_pac_sign_ext.rst krb5_pac_verify.rst krb5_pac_verify_ext.rst + krb5_pac_get_client_info.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index eed38fd..d486853 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -8338,6 +8338,28 @@ krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, const krb5_keyblock *privsvr_key, krb5_boolean with_realm, krb5_data *data); + +/* + * Read client information from a PAC. + * + * @param [in] context Library context + * @param [in] pac PAC handle + * @param [out] authtime_out Authentication timestamp (NULL if not needed) + * @param [out] princname_out Client account name + * + * Read the PAC_CLIENT_INFO buffer in @a pac. Place the client account name as + * a string in @a princname_out. If @a authtime_out is not NULL, place the + * initial authentication timestamp in @a authtime_out. + * + * @retval 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in @a + * pac, ERANGE if the buffer contains invalid lengths. + * + * @version New in 1.18 + */ +krb5_error_code KRB5_CALLCONV +krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, + krb5_timestamp *authtime_out, char **princname_out); + /** * Allow the appplication to override the profile's allow_weak_crypto setting. * diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 5efc91e..950beda 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -399,21 +399,23 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, uint64_t *ntTime) return 0; } -krb5_error_code -k5_pac_validate_client(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - krb5_boolean with_realm) +krb5_error_code KRB5_CALLCONV +krb5_pac_get_client_info(krb5_context context, + const krb5_pac pac, + krb5_timestamp *authtime_out, + char **princname_out) { krb5_error_code ret; krb5_data client_info; - char *pac_princname, *princname; + char *pac_princname; unsigned char *p; krb5_timestamp pac_authtime; krb5_ui_2 pac_princname_length; int64_t pac_nt_authtime; - int flags = 0; + + if (authtime_out != NULL) + *authtime_out = 0; + *princname_out = NULL; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info); @@ -441,6 +443,30 @@ k5_pac_validate_client(krb5_context context, if (ret != 0) return ret; + if (authtime_out != NULL) + *authtime_out = pac_authtime; + *princname_out = pac_princname; + + return 0; +} + +krb5_error_code +k5_pac_validate_client(krb5_context context, + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + krb5_boolean with_realm) +{ + krb5_error_code ret; + char *pac_princname, *princname; + krb5_timestamp pac_authtime; + int flags = 0; + + ret = krb5_pac_get_client_info(context, pac, &pac_authtime, + &pac_princname); + if (ret != 0) + return ret; + flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY; if (!with_realm) flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index f036b1a..55e2635 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -498,6 +498,7 @@ krb5_pac_sign krb5_pac_sign_ext krb5_pac_verify krb5_pac_verify_ext +krb5_pac_get_client_info krb5_parse_name krb5_parse_name_flags krb5_prepend_error_message diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 67ac1d3..c327ceb 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -488,3 +488,4 @@ EXPORTS ; new in 1.18 krb5int_c_deprecated_enctype @450 ; PRIVATE + krb5_pac_get_client_info @451 |